BRKARC-2034-Care and Feeding of Smart Licensing

#CLUS
• In this session, you will learn about deploying Cisco products using Cisco’s latest
product licensing vision. Come learn the foundational concepts you need to need to
as you deploy and configure Smart Software Licensing for Cisco products. Together,
we will go over the various scenarios you might deploy Smart License enabled
products in connected and mediated networks.
• For mediated (disconnected) networks, we will present an overview of the Cisco
Smart Software On-Prem, and how product configuration differs when used. By
moving to an ISO-19770 Software Asset Management (SAM) solution, Cisco Smart
Software Licensing simplifies the deployment of Cisco products focusing on usage
(what and how many) and not enforcement. With Cisco Smart Software Licensing
say “goodbye” to Product Activation Keys (PAKs) and License files!
• It is recommended that the student is familiar with Smart Licensing before taking this
session.
• BRKARC-2010 (Smart Accounts and Smart Licensing)
#CLUS BRKARC-2034 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 2
Care and Feeding of
Smart Licensing
Get Set! Get Ready! Go!
Donnie V Savage, Software Architect

Albert Matabaro, Sr Software Developer
BRKARC-2034
#CLUS
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
Webex Teams will be moderated cs.co/ciscolivebot#BRKARC-2034

by the speaker until June 16, 2019.
#CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Agenda
• Get Ready!
• Smart Licensing Overview
• Smart Accounts Overview
• Get Set!
• Smart License Enabled Products
• Smart Licensing Communications
• Go!
• Deploying Smart License Enabled Products
• Conclusion
Acronym Decoder
• CSR – Certificate Signing Request • PIDs – Product IDs
• CSSM or SSM – Cisco Smart Software Manager • PLR – Permanent License Reservation
• DLC – Device Led Conversion • SA – Smart Account
• DNS – Domain Name Server • SBP – Subscription Billing Platform
• FQDN - Fully Qualified Domain Name • SCH – Smart Call-Home
• LCS – License Crypto-Module Support • SKU – Stock Keeping Units
• LVA – Local Virtual Accounts • SLR – Specific License Reservation
• MSLA – Managed Service License Agreements • TPL – Third (3rd) Party Licensing
(Utility)
• UUID – Universally Unique Identifier
• OOC – Out of Compliance
• VA – Virtual Accounts
• PI – Product Instances
BRKARC-2034
Get Ready!
Smart Licensing and Smart Accounts
Smart Software Licensing Overview
Improving the licensing experience
Smart Software Licensing makes the experience for our customers and partners extremely simple in terms
of buying the software, activating it and managing it.
Limited View Complete View

Customers do not know what they own. Software, services, and devices at one easy-to-use portal.
PAK Registration Easy Registration

Manually register each device. Unlock with license key. No PAKs. Easy activation. Device is ready to use.
Device Specific Company Specific

Licenses specific to only one device. Flexible licensing. Use across devices.
Locked Unlocked
You cannot use more than you paid for. Add users and licenses as needed.
Introduction to Smart Software Manager
Cisco Software Central – software.cisco.com
Network Plug
and Play
Manage
Downloads and Software License
Upgrade Products Tools
Ordering and Smart Account

EULA Tools Management
10
Cisco Software Central – software.cisco.com
Request Smart
Account Access
11
Confirm you have authority to create the account
Editing the Account Domain Identifier
Hint:
The domain
identifier will
populate with
details from
your profile – it
may be edited.
Smart Account already exists?
Manage Software License

Downloads and Tools
Upgrade Products
Ordering and Smart Account

EULA Tools Management
BRKARC-2010 #CLUS BRKARC-2034 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Smart Account – Requesting Access
Enter Domain Identifier to notify Administrators
Grant Partner Access to Manage Smart Account
You can grant Partners access to manage the account and your licenses on your behalf by adding them as a User. There are 4
user roles that you can assign Partners to:
Role Access Level Select this when…
Smart Account Administrator Partners can view and manage license You can select this option if only one Partner will
inventory for the entire Smart Account, be managing your entire Smart Account, and also
and can also perform Account if the Partner needs to manage Users and Virtual
management activities. Accounts on your behalf.
Virtual Account Administrator Partners can view and manage licenses You can select this option if the Partner will be
only in specific Virtual Account(s) for managing licenses in specific Virtual Account(s)
which they have been granted access. but not within all the Virtual Accounts. Please note
Partners can also manage Users in the that the Partner will also be able to add/edit and
assigned Virtual Account(s). delete Virtual Account Admins and Users.
Smart Account User Partners can view and manage license You can select this option if the Partner will be
inventory for the entire Smart Account. managing your entire Smart Account, but you
would like to keep control over the Account
management activities (adding/ deleting Virtual
Accounts and User management).
Virtual Account User Partners can view and manage license You can select this option if the Partner will be
inventory for assigned Virtual Account(s). managing licenses within a particular Virtual
Account, but you would like to keep control over
adding or deleting Users within that Virtual
#CLUS Account.
BRKARC-2034 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Smart Account Creator is automatically provided
Customer Smart Account Roles the Smart Account Administrator role.
User Roles Capabilities in CSC Capabilities in SSM Capabilities in ELA Capabilities in LRP
Smart Account • Edit/View Account Properties • No access • No access • No access

Approver • View Users at Smart Account & Virtual Account
Level
• View / Accept Agreements
• View Event Logs
Smart Account • Edit / View Account Properties • Can perform all activities in • Can perform all activities • Can perform all activities
Administrator • Add / Edit / Delete Virtual Accounts Smart Software Manager in ELA linked to the Smart in LRP linked to the
• Add / Edit / Delete Users (at SA and VA level) at Smart Account Level Account they have access Smart Account they have
• View / Accept Agreements and Virtual Account Level to access to
• View Event Logs
Smart Account • View Account Properties • Can perform all activities in • Can perform all activities • Can perform all activities
User • View Virtual Accounts Smart Software Manager in ELA linked to the Smart in LRP linked to the
• View Users (at SA and VA level) at Smart Account Level Account they have access Smart Account they have
• View Agreements and Virtual Account Level to access to
• View Event Logs
Virtual Account • View Account Properties • Can perform all activities in • Can perform all activities • Can perform all activities
Administrator • View Assigned Virtual Accounts SSM for the Virtual in ELA linked to the Virtual in LRP linked to the
• Add / Edit / Delete Users (capability to add Virtual Accounts they have Account they have access Virtual Account they have
Account Admins or Virtual Account Users) access to to access to
• View Agreements
• View Event logs (restricted to assigned VAs)
Virtual Account • View Account Properties • Can perform all activities in • Can perform all activities • Can perform all activities
User • View Assigned Virtual Accounts SSM for Virtual Accounts in ELA linked to the Virtual in LRP linked to the
• View Users (only those linked to assigned VAs) they have access to Account they have access Virtual Account they have
• View Agreements to access to
• View Event Logs (restricted to assigned VAs)
Use of Crypto in Smart Licensing
• Smart Agent generates a pair of public and private keys during registration.
• Smart Agent requests CSSM to sign the public key and return in the ID certificate during
registration.
• The following certificates are involved in the process of signing and validating messages:
• Cisco Root CA certificate: the public key of Cisco CA, embedded in Smart Agent.
• Cisco Sub CA certificate: the public key of Sub CA, signed by Cisco Root CA
• Signing certificate: the public key of LCS message singer, signed by Cisco Root CA.
• ID certificate: the public key of product instance, singed by Cisco Sub CA.
• After registration, Smart Agent signs all requests with its private key and CSSM validates the
requests with Smart Agent’s ID cert.
• CSSM signs all responses with private key (in LCS) and Smart Agent validates the responses
with Signing cert.
• All requests and response are encrypted over HTTPS connection.
18
Introduction to Smart Accounts
What is Cisco Smart Licensing?
• IT Asset Management (ITAM) is a license and product management tool
• IT asset management is an important part of an organization's strategy. It usually involves
gathering detailed hardware and software inventory information which is then used to make
decisions about hardware and software purchases and redistribution.
• IT inventory management helps organizations manage their systems more effectively and
saves time and money by avoiding unnecessary asset purchases and promoting the harvesting
of existing resources.
• Cisco Smart Licensing is configuration only

• No PAK need (Not Node Locked)
• No License File need

• DO NOT “consume" licenses
• Self-Heals for License fixes or RMAs
Smart Account – Overview
• A Smart Account is a single place where
Customers can obtain visibility to their software
and entitlements.
Users & Roles

• Information associated with a Smart Account
Licenses
include
• User roles
• Licenses
• Devices
bigu.edu
Devices
• Agreements the customer has with Cisco.
• These assets can be further divided into “Virtual

Agreements
accounts” that might represents departments,
cost centers or locations within the company.
Organize it according to your business.
Cisco Smart Accounts – Licenses
• DO NOT “consume" licenses (products reports usage and backend
counts usage)
• Self-Heal for License fixes or RMAs
• Product Instances are visible via CSSM portal or On-Prem

• Smart Account will show usage – Quantity, In Use, Surplus
• Virtual Account(s) will be in or out of compliance
• Virtual Account will show which Products Instances are using which
License(s)
How Does Smart Software Licensing Work?
Cisco Smart Licensing is a new way of thinking about licensing at Cisco that is being applied to all products.
Smart Licensing provides a Software Inventory Management System that provides Customers, Cisco, and Selected
Partners with information about Software Ownership and Software Utilization
Ownership Usage
Cisco Commerce Big University Entitlement and Product
Workspace (CCW)
I am Device-East5, I belong to Big University
and I am using 1 Advanced License
Users & Roles
Licenses
I have purchased 5 Advanced
Licenses for Big University bigu.edu
You are Device-East5, belonging to
Big University and the Admissions
Devices Department you are ‘In-Compliance’
Agreements
I own +5
I am using +1
What is a Smart Account
Architected as a “container” - for more than licenses
Asset Pooling Track Purchases
Pool assets, user roles and Review purchases of Cisco
agreements for visibility of Software entitlements and
company license allocate new resources.
entitlements.
User Based Access Manage Services and Review Cases

Customer, partner, or other Subscriptions Manage cases open with Cisco
authorized party for control Manage service contracts TAC and Cisco Support.
of organizational assets. and subscriptions, and
download new software.
Today Future
With My Cisco Entitlements you can...
Secure all and gain Efficiently manage assets Effectively use assets
insights on your and entitlements and entitlements
• Hardware/Devices • Organize products and services • Register products and
• Licenses • Manage simple and secure services
• Subscriptions access controls • Generate or rehost
• Perform Move-Add-Change- licenses
• Services
Delete • Download software
• Insights
• Track devices • Create support cases
Connecting Smart Accounts, Smart Licensing,
Asset Mgmt., Entitlement Mgmt., and Telemetry
for Digital Business Secure Customer Centric
Organized Access
Efficient Consumption
Unified View
Auto-Provisioning
Smart Self-serve Capabilities
License Portability Smart Accounts

Extensible to Partners
Licensing
Compliance
Frictionless Renewals - Synchronicity
Features Activations and Usage

My Cisco
Entitlements Asset
Management (MACD), Co-term
Product Health Telemetry Mgmt. Economies of Scale
Revenue Leakage Prevention

Deployment Mode
Entitlement Customer Data Protection-GDPR
Mgmt.
Coverage Risks – LDoS, Service Coverage
Access Permissions
Service Requests
Delivery #CLUS BRKARC-2034 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Verifications
Introduction to Virtual Accounts
Smart Account Structure
What is in the Smart Account?
Virtual Accounts
Data Center
Users & Roles
Licenses
Campus Access
Devices
bigu.edu
Computer Lab
Agreements
Customer Smart Account Partner Holding

You can USE but not TRANSFER licenses between SAs You can TRANSFER but not USE a license
Account where devices leveraging PAK licenses, Smart Licenses, and Account where partners / distributors can temporarily deposit orders
licenses generated from EAs are stored and managed by a customer, until the end customer Smart Account is identified. Also provide
channel partner, or authorized party company-wide access to orders associated with the Holding
Account.
Smart Accounts – Virtual Accounts
Assets are represented as company owned allowing effortless sharing
across your enterprise
Virtual Accounts Share devices and licenses

across virtual accounts
easily.
Data Center
Users & Roles
Licenses
Campus Access
bigu.edu
Devices
Computer Lab
Agreements
Create sub-accounts to
reflect organization’s
construct.
Smart Accounts – Virtual Accounts
Assets are represented as company owned allowing effortless sharing
across your enterprise
Virtual Accounts
Data Center
Overall Cisco Licenses
Warning and Notifications -25
Users & Roles
Licenses Major Alert: Insufficient licenses – 25 needed to return to

Campus Access compliance
License Quantity In Use Surplus

bigu.edu 1900-WAN- 300 325 -25
Devices Collab-Suite
Computer Lab
1900-Threat- 500 425 +75
Agreements
Defense-Suite
Track and Transfer Devices
ISR1900 Computer Lab A Transfer
ISR1900 Computer Lab B Remove
Get Set!
Smart License Enabled Products
Smart Licensing Communications
Smart Licensing Work Flow
Have more licenses
Device/Product than being used
started
In-Compliance
SL State= (Authorized)
Un-configured Device/Product Registration
For Hybrid Create/Copy Enter Register Platform uses Users & Roles
Product Registration command/GU feature & Licenses
I with ID reports usage

Enable Smart ID Token from
to CSSM
Licensing CSSM Token Devices
Agreements
Customer Smart
SL State= Account identified Out-of
SL State= Compliance
Un-identified
Registered
Using more licenses
than entitled to
Smart Licensing Work Flow - ID Tokens
An ID Token: An ID Tokens is NOT:
• Can be used once – or reused
multiple times • Product specific
• Can be created and revoked at any • Licenses or keys or PAKs
time • “one-time use”
• Expires after a period of time (default • Stored on the Cisco Product
is 30 days; Minimum of 1 day and a • Needed after the product is
maximum of 365 days) registered
Used to securely Register products to a Smart Account and Virtual Account

ID Tokens are “organizational identifier” used to establish ‘identity’ when
registering a Product
Enable Smart Software Licensing
Select:
Inventory
Click:
New Token
Provide:
ID Token Description
Decide:
Allow enablement of
Export Controlled
functionality
(functionality varies
by product)
Note: Enabled by default if
Export Control is allowed for
this Smart Account
Smart Licensing Work Flow - ID Tokens
Select ”Copy”
from “Actions”
drop-down
Smart Licensing Work Flow - Registration
Paste the “ID Token” created in your Smart Account directly into the CLI
Hybrid Products Smart Only Products
device> en
device# config t
device(config)# license smart enable
device(config)# end
device# license smart register idtoken <id token> device# license smart register idtoken <id token>
<id token>
“ID Token” is copied from Smart Account either manually via Cisco API’s
 Can be used once – or multiple times
 Can be used on any or every Cisco product
 Can be created and revoked at any time
 Can be created and accessed via APIs
 Expires after a period of time (default is 30 days; Minimum of 1 day and a maximum of 365 days)
Smart Licensing Work Flow - Hybrid Products
Smart-Device>en Notes:
Smart-Device#config t
This command is used on platforms
Enter configuration commands, one per line. End with CNTL/Z.
Smart-Device(config)# license smart enable
that support BOTH Classic and
Smart-Device(config)# Smart Software Licensing.
*Oct 15 09:38:59.300: %SMART_LIC-6-AGENT_ENABLED: Smart Agent for
Licensing is enabled Reload may be required to switch
*Oct 15 09:38:59.301: %SMART_LIC-6-HA_ROLE_CHANGED: Smart Agent HA licensing mode.
role changed to Active.
*Oct 15 09:39:00.302: %PKI-4-NOCONFIGAUTOSAVE: Configuration was
Smart Call Home is automatically
modified. Issue "write memory" to save new IOS PKI configuration
*Oct 15 09:39:00.302: %CALL_HOME-6-CALL_HOME_ENABLED: Call-home is
enabled when Smart Software
enabled by Smart Agent for Licensing. Licensing is enabled.
*Oct 15 09:39:00.302: %SMART_LIC-5-COMM_RESTORED: Communications with
Cisco licensing cloud restored Device responds with message
Smart-Device(config)# when successful.
Smart Licensing Work Flow - Registration
Smart-Device#license smart register idtoken <paste>
Registration process is in progress. Use the 'show license status' command to check the progress and result
Smart-Device#% Generating 2048 bit RSA keys, keys will be exportable...
*Oct 15 12:54:41.741: %RF_ISSU-3-INVALID_SESSION: RF ISSU client on domain (0) does not have a valid
registered session.
[OK] (elapsed time was 1 seconds)
*Oct 15 12:54:41.741: %SSH-5-DISABLED: SSH 1.99 has been disabled
*Oct 15 12:54:42.492: %SSH-5-ENABLED: SSH 1.99 has been enabled
*Oct 15 12:54:42.533: %PKI-4-NOCONFIGAUTOSAVE: Configuration was modified. Issue "write memory" to save new
IOS PKI configurationWait for IIC event to get throughput higher than 100K
*Oct 15 12:54:49.966: %SMART_LIC-5-COMM_RESTORED: Communications with Cisco licensing cloud restored
*Oct 15 12:54:50.030: %SMART_LIC-6-EXPORT_CONTROLLED: Usage of export controlled features is Allowed
*Oct 15 12:54:50.030: %SMART_LIC-6-AGENT_REG_SUCCESS: Smart Agent for Licensing Registration with Cisco
licensing cloud successful
*Oct 15 12:54:50.030: %SMART_LIC-5-EVAL_START: Entering evaluation period
*Oct 15 12:54:50.030: %VXE_THROUGHPUT-6-LEVEL: Throughput level has been set to 100 kbps
*Oct 15 12:54:56.614: %SMART_LIC-3-OUT_OF_COMPLIANCE: One or more entitlements are out of compliance
*Oct 15 12:54:56.614: %SMART_LIC-6-AUTH_RENEW_SUCCESS: Authorization renewal with Cisco licensing cloud
successful. State=OOC
Note:
In this example the device is communicating that no available licenses are in the
Virtual Account
Smart Licensing Work Flow – Usage Reporting
Smart-Device#license smart renew auth Note:
Authorization process is in progress. Use the 'show license status' command to checkForce
the progress and
an authorization renewal
result
Smart-Device#
*Oct 15 13:03:54.199: %VXE_THROUGHPUT-6-LEVEL: Throughput level has been set to 50000 kbps
*Oct 15 13:03:54.199: %SMART_LIC-6-AUTH_RENEW_SUCCESS: Authorization renewal with Cisco licensing cloud
successful. State=authorized
Smart-Device#
Smart-Device#show license status
Smart Licensing is ENABLED
Registration: Note:
Status: REGISTERED
Smart Account: Canada Motors Inc. Device updates state
Virtual Account: Cisco-TAC
Export-Controlled Functionality: Allowed
Initial Registration: SUCCEEDED on Oct 15 12:54:49 2017 UTC
Last Renewal Attempt: None
Next Renewal Attempt: Apr 12 12:54:49 2017 UTC
Registration Expires: Oct 14 12:48:59 2017 UTC
License Authorization:
Status: AUTHORIZED on Oct 15 13:03:54 2017 UTC
Last Communication Attempt: SUCCEEDED on Oct 15 13:03:54 2017 UTC
Next Communication Attempt: Nov 14 13:03:53 2017 UTC
Communication Deadline: Jan 13 12:58:06 2017 UTC
• Verify licensing status
csr1kv# show license status
Tue Sep 29 07:34:36.023 PDT
Smart Licensing is ENABLED

Initial Registration: SUCCEEDED on Mon Sep 28 2017 21:55:46 PDT
Last Renewal Attempt: None
Registration Expires: Sun Dec 27 2017 11:49:40 PDT
Status: AUTHORIZED on Mon Sep 28 2017 21:56:10 PDT
Last Communication Attempt: SUCCEEDED on Mon Sep 28 2017 21:56:10 PDT
Next Communication Attempt: Wed Oct 28 2017 21:56:10 PDT
Communication Deadline: Sun Dec 27 2017 11:49:16 PDT
csr1kv#
Smart Licensing Work Flow – Product Config
Reference
IOS XE Based Product Example
Product Specific Configuration Guides Found at: cisco.com/go/smartlicensing
Enable Smart License for Hybrid license smart enable
Products
* See Product specific Configuration guide to determine if your product defaults
to traditional licensing
Insert Authentication token into (Exec Mode)
Device license smart register idtoken <idtoken from CSSM or CSSM sat>
Configure which licenses to enable license boot level license_level
* See Product specific Configuration guide for all options
Smart Licensing Work Flow – Product Config
Reference
IOS XE Based Product Example
Product Specific Configuration Guides Found at: cisco.com/go/smartlicensing
Complete ip name-server server-address
Basic IP ip name-server vrf Mgmt-vrf server-address
Connectivity ip domain lookup source-interface interface-type interface-number
ip domain name example.com
Configuration
ip http client source-interface interface-type interface-number
Smart Use a Proxy Server instead of Direct Connect:

Licensing call-home
http-proxy proxy-address port port-num
Optional
Configuration
Use a Smart Software Manager On-Prem instead of Direct Connect:
call-home
(Unnecessary profile CiscoTAC-1
for Most no destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
Customers destination address http https://<ip.address>:443/Transportgateway/services/DeviceRequestHandler
using Direct
Connect to Remove Host Names from communications
Cisco) call-home
data-privacy hostname
Understanding Product Licensing State
Smart License Product States
• Registered state
Product has been associated with a valid Smart Account
Un-
• Authorized state (In Compliance) Registered
Product is using an entitlement, and the Virtual Account Failed

does not have a negative balance Register
Product
• Out of Compliance state
Product is using an entitlement, but the Virtual Account Registered
State
has a negative balance
Remains in state until Remains in state
• Authorization expired state Product communicates Consume while Smart
with Cisco License Account is OOC
Product has not communicated with
Cisco within a maximum of 90 days Out Of
Authorization Authorized
Compliance
Expired State
State
Note: Platforms may differ with timeouts, check with

specific platform for details
Smart License Product States – Registered
• Initial registration
1. A Registration Message is sent when Product is
registered via CLI with a valid ID Token. Un-
Registered
2. Cisco will reply with a Cryptograph ID certificate that, Failed

by default, is valid for one year. Register
Product
• If there is a failure sending the message the retry,

interval will be as follows: Registered
State
• Every 15 minutes for 4 hours.
• Then every hour until successful, or Consume
License
Smart License is disabled via CLI
Out Of
Compliance
Expired State
State
Smart License Product States – Licenses
• One a product has been successfully registered, it can be configured
to use an licenses via CLI
Un-
• A Entitlement Message is sent when Product is Registered
configured to use licenses via CLI Failed

Register
• The Entitlement Response message will Product
1. Indicate if the Virtual Account is in or out of compliance Registered

2. Provide the length of time the request is valid, and State
the renewal interval.

Consume
• By default the Licenses usage is valid for License
90 days, and renewed every 30 days

Out Of
Compliance
Expired State
State
Entitlement Authorization Request or Renewal
• Authorization based on Cryptograph ID certificate
• Valid for 1 Year, renewed will be sent every six months
Un-
• If there is a Communications Failure sending the Registered
renewal, the retry interval will be as follows: Failed

Register
• If the agent is in the authorized state Product
• Retry every 23 hours

Registered
• If agent is in the Out of Compliance (OOC) state State
• Retry every 15 minutes for two hours

• Then once every 4 hours. Consume
License
• If agent is in the authorization expired state
• Retry once every hour. Authorization Authorized
Out Of
Compliance
Expired State
State
Registration ID Certificate Renewal
• If there is a Communications Failure sending the
message, the retry interval will be as follows:
Un-
• One per hour until success Registered
• Or until Cryptograph ID certificate expires. Failed

Register
• If there is is NO Communications within 90 days Product
• License usage is released Registered

State
• If there is NO Communications after 1 year

• Device become “unregistered” Consume
License
• Device must be re-registered
Out Of
• Use any remaining evaluation time Authorization
Expired
Authorized
State
Compliance
State
Understanding Product Licensing
Communication
Smart Product Telemetry & Visibility
• Industry Standard HTTPS (SSLv3*/TLS)
• Protects User’s Privacy! 01100101
100101011011
• HTTP over TLS used for Transport encryption 101001001010
0101101100100
• Telemetry sent to Cisco is User Configurable 001010011001
11010110101
• Smart Call Home Information is optional 1101001
• Smart License Information is minimal

• Auditable Telemetry sent by Smart Software
Manager On-Prem
• You have the right to inspect the data gathered
• License Information is in Text (YAML formatted)
* Newer products only use TLS
How does HTTPS work?
• Smart Agent generates a pair of public and private keys during registration.
• Smart Agent requests CSSM to sign the public key and return in the ID certificate during
registration.
• The following certificates are involved in the process of signing and validating messages:
• Cisco Root CA certificate: the public key of Cisco CA, embedded in Smart Agent. Validation
• Cisco Sub CA certificate: the public key of Sub CA, signed by Cisco Root CA Signing
• Signing certificate: the public key of LCS message singer, signed by Cisco Root CA.
• ID certificate: the public key of product instance, singed by Cisco Sub CA.
• After registration, Smart Agent signs all requests with its private key and CSSM validates the
requests with Smart Agent’s ID cert.
• CSSM signs all responses with private key (in LCS) and Smart Agent validates the responses
with Signing cert.
• All requests and response are encrypted over HTTPS connection.
Smart License Product Telemetry
• The Cisco Smart License requires the following minimal exchange of information during
install/provisioning time.
Cisco Smart
Software Manager
Information Collected Required?
Trusted Unique Identifier
Yes
(SUDI/SUVI/ID) HTTPS
-or-
Licenses Consumed Yes
Organization Identifier (ID Token) Yes Cisco Checks:
Hostname No Offline  Licenses
 Device IDs
AAA ID of User Making Change No On Premises  Business Rules
Feature Tags No Smart Software
Then
Manager
Other Smart Call Home Information No  Authorizes Use
* By default more information is exchanged, but this is configurable

Backend Communication Channels and Ports
CSSM Direct Connection CSSM On-Prem Connection
• Cisco Products communicate by • Cisco Products communicate with
default (out of the box with Smart Smart Software Manager On-
Software Manager Prem using the same protocol.
• Protocol: • Protocol:
• HTTPS(443): tools.cisco.com • User Interface: HTTPS(8443) Only
• HTTP(80): www.cisco.com • Products: HTTP(80)/HTTPS(443)
• CSSM: HTTPS(443)
Syncs:
• swapi.cisco.com •
api.cisco.com. (old)
• IPv4: 146.112.59.25 swapi.cisco.com (new)
• IPv6: 2a04:e4c7:fffe::4 • Account Registration:
cloudsso.cisco.com
Smart Product Data Interchange & Visibility
Information exchanged
• Required information includes:
• Unique identifier for the device.
• Licenses that are being used.
• Organization identifier (ID Token created in your Smart Account). This is a single
cryptographically signed key that will be used for all products and installations in
your network anywhere in your company.
• If you sell a device, the licenses are NOT transferred:

• The license will remain within the original Smart Account.
• You will still be able to use the license although the device it was
originally used with is absent.
• DO NOT FORGET to de-register it so the new owner doesn’t consume
YOUR licenses! router # license smart deregister
How does HTTPS work?
• HTTPS is based on public/private key-IR cryptography:
• The public key is used for encryption
• The private key is required for decryption.
• When your product connects to Cisco, it will return its certificate (public key with a
label identifying Cisco as the owner)
• The browser checks if the certificate is valid:
• Owner information needs to match the server name (OR IP) that the user requested.
• Certificate needs to be signed by a trusted certification authority.
• If these conditions is not met, the product will reject the HTTS connection
• After the verification, the product extracts the public key and uses it to encrypt some
information before sending it to the Smart Call Home Server
• The Smart Call Home Server can decrypt it because it has the matching private key.
Go!
Deploying Smart License Enabled
Products
Deploying Smart License Enabled Products
Access To Cisco
1
over the
Cisco product sends usage information directly
+ internet or through a HTTP Proxy Server. No additional
2 components are needed.
Access Through An On-Premise License

Management
Ease of use
3
Cisco products send usage information to Smart Software
+ Manager locally installed. Periodically, exchange information
4 automatically in connected environments or manually in
SSM
disconnected environments.
On-
Prem
5 No Access – License Reservation

Use copy/paste information between product and Cisco.com to
manually check in and out Licenses. Functionally equivalent to
current node locking, but with Smart License tracking.
Method 1
Smart Licensing Direct Cloud Access

Smart Call Home – High Level
• Smart Call Home Server is located in a secure Cisco Data Center
• Smart License messages are sent to the Cisco SSM portal
Smart License uses only the SmartCall Home Client
Smart License
• Cisco Smart
(Packet Delivery) Software Manager
SCH
Call Home Client

• Information is exchange using
HTTPS (TLS/SSL encryption HTTPS
Smart Agent
of data)
Home Server
Smart Call
Cisco Smart Call
Product Home
Decision is made by the configuration of the SCH configured

“contact”
Smart Call Home – Smart Licensing Only
• Service Active
Enable call-home service
• Contact-email-addr sch-smart-licensing@cisco.com
Contact email address is mandatory for sending SCH notifications. If it is configured as sch-
smart-licensing@cisco.com, the email address configured in Cisco Smart License Portal will be
used
• Profile CiscoTAC-1
Call-home profile CiscoTAC-1 is configured to send Smart licensing message by default
• Active
Enables profile to be used
• destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
Configure HTTP destination address with service URL
• destination transport-method http
Change transport method to HTTP (this includes HTTPS)
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/callhome.html
Smart Call Home – Smart Licensing Only
• Smart License does not require ALL of Smart Call Home
• Smart Call Home reporting CAN be disabled
• Smart License only uses the Call Home Client (Packet Delivery)
• When Smart Call Home reporting on the Product is not used,
• contact-email-addr must be configured as sch-smart-licensing@cisco.com
❌ This is NOT an email address – it just looks like one
❌ Inventory is not sent
❌ Configuration information is not sent
❌ Environmental conditions is not sent
❌ Diagnostics to include syslog events is not sent
Smart Call Home – Default CSR1000v
Configuration
service call-home
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to
send SCH notifications. Automatically added on Smart License enablement.
contact-email-addr sch-smart-licensing@cisco.com Do not change!
rate-limit 20
alert-group-config snapshot Here is where you limit data sharing:
data-privacy level normal data-privacy {level {normal | high} | hostname}
syslog-throttling reporting no-call-home-data | Only hostname can be sent.
Not all products support call home data sharing.
profile "CiscoTAC-1"
active
no anonymous-reporting-only
Automatically added on Smart License enablement.
reporting smart-call-home-data
Do not change!
reporting smart-licensing-data
destination preferred-msg-format xml
destination message-size-limit 3145728
destination transport-method http
no destination transport-method email Note: No SCH email sent by default.
destination address email callhome@cisco.com
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService Authorized Backend URL
Method 2
Proxy / Gateway
Transport Gateway or Proxy
1 HTTPs Request
2 HTTPs Response
Most Common HTTP Request Methods:

tools.cisco.com
• GET
• POST
• CONNECT (Explicit proxy only)
1 HTTPs Request 2 HTTPs Request
4 HTTPs Response 3 HTTPs Response
proxy-server tools.cisco.com
Configuration Example
• Change HTTP destination address of CiscoTAC-1 profile to TG service URL.
asr9k#conf t
asr9k(config)#call-home
asr9k(config-call-home)#profile CiscoTAC-1
asr9k(config-call-home-profile)#no destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
asr9k(config-call-home-profile)#destination address http https://proxy-server
asr9k(config-call-home-profile)#commit
asr9k(config-call-home-profile)#end
asr9k#
asr9k#show running-config call-home
call-home
profile CiscoTAC-1
destination address http https://tg-server
!
!
NOTE: The default destination to cisco must be removed when configuring when
using with proxy, or On-Prem
(Standard Client HTTPS)
SSL :443
Certificate
CN=www.cisco.com Cisco.com
Signer= Verisign CA
Expires=Jan 1, 2011
Certificate: public key

3 HTTPS Security checks • CN: Common Name
 Does the CN match the URL typed in?
Signer: Trusted certification
 Is the Signer a trusted CA authority? authority
 Is the certificate not expired?
GET / (Encrypted)
200 OK (Encrypted)
(HTTPS proxy)
Decrypt / Pass through / Drop?
SSL
SSL
:433
:433
Certificate Cisco.com
Certificate (unmodified)
Pass Through
Traffic Tunneled
Certificate (WSA cert) Decrypt

3 HTTPS Security
checks
SSL Fatal Error (Page cannot be displayed) Drop

• Is Not Required When • Is Required When • Is Desirable When
• Devices can send • Managed devices do not • Needs to inspect traffic on
messages directly to have direct access to the LAN while securely
cisco.com using HTTPS cisco.com communicating over the
• Encryption capabilities of • A HTTP proxy server is Internet
all managed devices meet required to reach • Needs all outbound traffic
the customer's security cisco.com to be sourced from a
requirements single device
• Devices can send
messages directly to
cisco.com
Method 3 & 4
Smart Software Manager On-Prem

What is Smart Software Manager (SSM) On-Prem?
A Smart Software Manager On-Prem is…

• A component of Cisco Smart Licensing and works in
conjunction with the cloud-based Cisco Smart Software
Manager (SSM)
A Smart Software Manager On-Prem is ideal for…

• Customers who have strict security requirements and do
not want their products to communicate with the central
licensing database on Smart Software Manager over a
direct Internet connection
SSM On-Prem – Deployment Model Overview
Smart Software
Manager
On-Prem
Service Providers Cisco Partners Large Enterprises
Supports multiple Scales up to 10,000 Provides online or offline Similar User Interface Enables faster code
local accounts products and 500 local connectivity to Cisco SSM drop and feature parity
accounts at Cisco SSM
To get a more detailed description of Smart Software Manager On-Prem solutions in the User Guide
https://www.cisco.com/go/smartlicensing
How does Cisco SSM On-Prem Work?
1 2 3
Install/Register to Synchronize Local
Self-Register/Report
Cisco SSM Database
• Install Smart Software • Devices and software • Choose to periodically

Manager On-Prem & products self-register synchronize local
register it to Cisco and report license database to the Cisco to
Smart Software consumption ensure up to date files
Manager
Cisco SSM On-Prem Benefits
Trusted Real-time Utilization Increased Unlocked Cost
Security Entitlement Visibility Control Reduction
Secure on- Near real-time Complete view of Flexible licensing Elimination of the Save time and
premises single license entitlement software, services, pooling enable node-locking of money through
source of truth of based on and devices in licenses to be licenses to efficient license
license synchronization easy-to-use portal. reused across devices, simplifies usage
consumption schedules with devices and the the RMA process
backend install organization
base
SSM On-Prem vs satellite - Highlights
SSM satellite Classic Edition Smart Software Manager On-Prem

• Single Tenant – one customer (represented by • Multi-tenancy - support multiple Smart Accounts on
a Smart Account). CSSM though a single management portal.
• Registration & Synchronization with CSSM • Registration & Synchronization with CSSM
• Cent OS code base with similar UI as CSSM • CSSM code base with converge UI
• Single User Role with single authentication • Multiple User Roles via multiple authentication
methods (local database only) methods (LDAP, OAuth2, local)
• One portal for license and system management • Separate Administration and License Workspaces
• Limited management tools for troubleshooting • License Hierarchy, Syslog, Proxy, etc.
• 4K device scalability (10K with satellite 5.1) • 10K with version 6.0, grow to 500K device
scalability
• Support hierarchical sub accounts (future)
Licensing Admin
Smart Software Manager On-Prem - Workspac
e
Workspac
e
Setup/Registration
Approve
Kickstart Network User Request On-Prem Manage
New Account Account
Installation Configuration Operational Account
Request
or Register an
System
Account to
Configuration Request Product
Cisco SSM
Access to Registration
An Existing
User Creation/ Account
Authorization
Periodic Sync
 Customer  Customer  User logs  Admin to
downloads VM configures VM in and approve
off cisco.com with IP selects Account
and installs address, DNS, Request  Admin needs the
following info:
NTP Account
o Cisco Smart
Account
o Cisco Virtual
Account
o Cisco UserID and
password
Smart Software Manager On-Prem -
Requirements
• The Free installation package is available in ISO installable via
Bootable Media
System Requirements
(Customer Provided):
ISO
Smart Software Manager On-Prem Minimum Recommended
Containers
Database
200 GB Hard Disk 200 GB Hard Disk
Crypto Services
License/Admin 8GB Memory 8GB Memory
License Services Workspace
2 vCPUs 4 vCPUs
(Centos 7)
4000 products 10000 products
Cisco Smart Software Manager On-Prem -
Installation
• Deploy the ISO into either a VM or bare metal
• Configure IP address (IPv4 and/or IPv6)
• Configure Netmask / Prefix
• Configure Default Gateway
• Configure DNS
• Connect to Administration portal via a browser
• Login as default “admin/CiscoAdmin!2345” user
• Change the admin’s default password
• Register Account(s) with Cisco Smart Account/Virtual Account
• Synchronize Account(s) with Cisco Smart Account(s)
Cisco Smart Software Manager On-Prem
HTTP/HTTPS communication:
• Products communicating with Smart Software Manager On-Prem via HTTPS use one of two
Cisco signed certificates dependent on the smart agent version
Older
\ Products: Newer Products:
• Smart Agent versions prior to 1.5 • Smart Agent versions 1.5 and later
• Use a 3-tier certificate • Use a 4-tier certificate
• Must wait 10 business days for Cert to • Can be registered with no delay
be available and synchronized
• Agent version can be seen with “show license all”

• Check to make sure that the time is correct on the Smart Software Manager On-Prem and
product.
Show License All (ASAv)
asa971# show license all License Usage
==============
Smart Licensing Status
====================== ASAv30 Standard - 2G (ASAv-STD-2G):
Description: ASAv30 Standard - 2G
Smart Licensing is ENABLED Count: 1
Version: 1.0
Registration: Status: OUT OF COMPLIANCE
Status: REGISTERED
Smart Account: CISCO LIVE Product Information
Virtual Account: JLN-Sat ===================
Export-Controlled Functionality: Allowed UDI: PID:ASAv,SN:9AJP2PTBH1L
Initial Registration: SUCCEEDED on Feb 08 21:24:22 2017 UTC
Last Renewal Attempt: None Agent Version
Next Renewal Attempt: Mar 10 18:57:40 2017 UTC =============
Registration Expires: May 09 14:04:18 2017 UTC Smart Agent for Licensing: 1.6.4_rel/63
Status: OUT OF COMPLIANCE on Feb 08 21:24:34 2017 UTC
Last Communication Attempt: SUCCESS on Feb 08 21:24:34 2017 UTC
Next Communication Attempt: Feb 09 09:24:34 2017 UTC
Communication Deadline: May 09 14:04:18 2017 UTC
How do I deploy products with Smart Software
Manager On-Prem ?
• Products register to On-Prem the exact the same way as with
Cisco
• Change the ‘Authorized Backend Address’ (See product documentation)
• Example for IOS Devices:
call-home
profile CiscoTAC-1
no destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address http https://<ip.address>:443/Transportgateway/services/DeviceRequestHandler
Product Registration with Strict Cert Checking
HTTPS, by default, will do a server identity check during SSL handshake which verifies destination
URL is the same Common Name (hostname or ip) filled in certificate.
Assume On-Prem Cert is assigned to CN=CiscoOn-Prem with IP address of 10.20.30.40
• If you can change the URL for your device • If you can change the URL for your
to point to:
https://CiscoOn-Prem/Transportgateway device to point to
https://10.20.30.40/Transportgateway
• That means your device can
resolve CiscoOn-Prem to 10.20.30.40 • That means you need to configure the On-
Prem name to 10.20.30.40
• In regular IOS you can do this by configuring:
“ip host CiscoOn-Prem 10.20.30.40” • This will cause the Cert to be assigned to
CN=10.20.30.40
• Or change DNS name to match.
Note: If product supports it, you can use “no http secure server-identity-check” to disable
the check and keep using ip address in URL.
Key Features in SSM On-Prem
Multi-tenancy: Manage multiple customer accounts in a single management portal
• Administration Workspace only accessible by System Admin and System Operators
• Licensing portal is for Smart Licensing and Administration.
• Multiple levels of RBAC (Admin, Operator, User)
Security Enhancements:
• Separate Workspace for Licensing and Administration:
• CentOS 7 Security Harden Kernel
• User Authentication Control: LDAP or OAuth2
Networking Support
• IPv4 and IPv6 support
• Multi-NIC: multiple interfaces for traffic separation between network management and product instance registrations.
Proxy support: Allow for satellite to have a proxy between itself and Cisco Smart Software Manager for traffic separation
• Firewall Zones: Ability to configure interfaces for Internal (access) or External (no access)
System Alerts and Notifications

• Email Support for notation of License Events
• Syslog support: Account events can be configured to be sent to a syslog server
Key Features in SSM On-Prem
Longer Sync Intervals
• Native 365-day Synchronization Schedule
• Allow satellite to functions as long as it synchronizes with Cisco once a year.
New License Features

• API Support for automation of product deployment
• License AppHA: Allows for the reporting of a single license usage for both standby and active Applications
• License Hierarchy: Enable borrowing of a higher-tier license to be fulfilled when a lower tier license is not
available
API Support
• Resource and Owner credentials grant supported
• 5 major API groups for over 15 unique APIs
Improved Scalability
• 500+ accounts
• 10,000 Product Instances
• Active development in progress to increase scale
Smart Software Manager On-Prem:
Licensing Portal vs. Admin Portal
Licensing Portal Administration Portal
Enables internal administrative functions
including user control, account
Similar functionality to software.cisco.com
management, registration,
synchronization, and much more
Users can manage their local accounts, Supports additional functionality including
users, product instances, devices and external authentication, syslog and proxy
licenses support
Users can create new local accounts,

request access to local accounts and
Restricted to only authorized users
manage local accounts and local virtual
accounts
Licensing and Administration Portal Roles
Licensing Portal Roles Administration Portal Roles
Similar to CSSM Smart Account and Virtual Account System Users System Operators
roles but at the local level within the satellite. Have full admin access to
Have read-only
permission on the Admin all the local accounts, can
portal and have role perform local Account
Local Account Admins based access control in registration/synchronization,
the licensing portal & can not change system
configurations
Local Account Users

System Admins
Have all of the abilities as the
Local VA Admins System Operator plus they can
approve and delete local accounts
and complete all system
Local VA Users configurations
Administration Workspace
Manager Users with different level of authority Synchronization with Cisco (online & offline)
on On-Prem EE. Each system user can have a
different RBAC on Licensing portal
Register Accounts to your CSSM Smart Local Software Download repository were
Account/Virtual Account pair you can host software images for purchased
products.
Enable/Disable On-Prem API access, create
Client and Resource Grant types
Set up User authentication – SSO,

OpenLDAP, LDAP Groups
Configure network parameters such as IP

address, gateway, proxy
Set up system level parameters such as

message banners, email settings, NTP,
syslog server setting
Administration Workspace - System RBAC
• All Users: • System Admin
• Can be local, or authenticated • Full System access
with an external system • Access to all Account(s)
• Local users have preference over
• System Operator (restricted)
authenticated users
• No ability to change system
• Are not required to have Cisco configurations
CCO Accounts • Access to all Account(s)
• Must have access to Smart
Account Admin access at Cisco • System User (restricted)
to create local On-Prem account • Limited to License Workspace Only
• Access to all Account(s)
Administration Workspace – Registration
• All Accounts map to a Smart Account/Virtual Account
• Customer requests account; email alert is sent to System Admin(s)
• System Admin performs account creations and grants user Access
• Flexible Account Setup models

• Single Smart Account mapping to Multiple On-Prem Accounts
• Multiple Smart Account mapping to Multiple On-Prem Accounts
How Smart Software Manager On-Prem see’s Virtual Account Mapping
has
Smart Account 1
Virtual Account
1
Sync
Entitlements
SSM On-Prem has Default Local consumes
Local Account 1 1 Virtual Account Instances
Local Virtual Entitlements
Account consumes
Instances
Entitlements
Local Virtual
Account
consumes
Instances
Example: On-Prem Accounts to Single Smart Account
Accounts
Department 1 software.cisco.com
Department 2
Virtual Account
Department 3
Smart Software Virtual Account BigU.edu

Manager On-Prem
Virtual Account
Licensing Workspace
Example: On-Prem Accounts to Multiple Smart Account
Accounts
Customer 1 software.cisco.com
Customer 2
Virtual Account BigU.edu
Customer 3
Smart Software Virtual Account MediumU.edu
Manager On-Prem
Virtual Account SmallU.edu
Licensing Workspace
Smart Software Manager On-Prem - Registration
Customer SSM On-Prem CSSM LCS
1 Request Account (Smart Account/Virtual Account)

2 Registration Request
3 4-Tier Cert Request
4 4-Tier Cert Response

3 Registration Response
4 Full Sync Request
5 Full Sync Response
1 Request Account (Smart Account/Virtual Account)
3 4-Tier Cert Request
NOTE: 4 4-Tier Cert Response

Smart Account maybe same or different 3 Registration Response
Virtual Account must be different 4 Full Sync Request
Customer SSM On-Prem CSSM LCS
 Optimization Opportunity #CLUS BRKARC-2034 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Smart Software Manager On-Prem via Proxy
Customer SSM On-Prem Proxy CSSM
1 Request Account (Smart

Account/Virtual Account) 2 Registration Request
6 Full Sync Request

7 Full Sync Request

Customer SSM On-Prem Proxy CSSM
Deployment Modes – Connected v. Disconnected
Connected Disconnected
• Mode is used when there is direct connectivity • Mode is used when there is no connectivity to
to cisco.com from the satellite cisco.com from the satellite
• License consumption and entitlement can be • Satellite can be synchronized with Cisco SSM
synchronized with Cisco SSM on-demand or via a file upload and download
automatically via scheduling
• Standard model for EE, easiest to deploy
Cisco
Cisco
Automatic
Updates Periodic
Updates
• At registration there are 2 files exchanged between Smart Software Manager On-
Prem and Cisco
• Registration file (Smart Software Manager On-Prem  Cisco)
• Authorization file (Cisco  Smart Software Manager On-Prem )
• During normal operation, there are 2 different files exchanged between Smart
Software Manager On-Prem and Cisco
• Sync Request file (Smart Software Manager On-Prem  Cisco)
• Sync Response file (Cisco  Smart Software Manager On-Prem )
• Auditable data sent by Smart Software Manager On-Prem

• Information is in text (YAML formatted)
• You have the ability to inspect the data gathered!
At registration there are 2 files exchanged between CSSM On-Prem and Cisco
CSSM On-Prem
Registration file swapi.cisco.com
CSSM On-Prem Authorization file

swapi.cisco.com
Smart Software Manager On-Prem - Sync
During normal operation, there are 2 different files exchanged between SSM On-
Prem and Cisco
CSSM On-Prem
Sync Request file swapi.cisco.com
CSSM On-Prem Sync Response file

swapi.cisco.com
Smart Software Manager On-Prem – Registration
• Registration file(Smart Software Manager On-Prem  Cisco)
• instance_id:
A Universally Unique IDentifier (UUID) (Each Smart Software Manager On-Prem
has unique UUID)
An standard used identifier used by software
A UUID is simply a 128-bit value.
• exported_timestamp:
This is the timestamp when this image was created by Cisco
• csr:
Certificate Signing Request (CSR) This contains the Certificate Authority or CA
which holds the public key for this Smart Software Manager On-Prem . (Each
Smart Software Manager On-Prem has unique public key)
Smart Software Manager On-Prem –
Authorization
• Smart Account Assigned • Smart Software Manager On-
Information Prem Information
• collector_id: • UUID
ID assigned to this Smart Software • On-Prem_name
Manager On-Prem .
name of the Smart Software
• smart_account Manager On-Prem
• virtual_accounts • last_generated
• signing_cert, id_cert, timestamp of the authorization file
sub_ca_cert, local_sub_ca_cert generated at CSSM portal.
Certificate information to secure • Status
communication between Smart Status of Smart Software Manager
Software Manager On-Prem and On-Prem ability to register to CSSM
Cisco Smart Account.
Administration Workspace –Re-Registration New with 6.3
• Accounts which are disconnected from Cisco can be re-registered
• Same account
• Different account
• No loss of system data

• Users are not lost
• License usage and Products are not impacted
• No need to re-register existing products
SSM On-Prem– Sync Request
• id_cert, signing_cert, csr, signatures
Certificate information to secure communication between Smart Software Manager On-Prem
and Cisco
• last_generated/last_sync
timestamps used to get the (delta)synchronization data.
• virtual_accounts
This contains the virtual accounts, registered product instances and licenses in the Smart
Software Manager On-Prem .
SSM On-Prem – Sync Request
:sync: 2.0.0, Information Collected Required?
:version: 2.0.0
:id_cert: |- XXXXXXXXXXXXXXXXXX
Yes
(SUDI/SUVI/ID)
:collector_id: 4cdd0470-e5e4-0132-a310-005056841670
:csr: |- Licenses Consumed Yes
:last_sync: 2017-Jun-22 08:50:35 UTC Hostname No
:last_generated: 2017-Jul-20 11:22:16 UTC
:virtual_accounts: AAA ID of User Making Change No
- :id: 101342
:name: Ross-1 Feature Tags No
:product_instances:
- :id: 2373d312-2cd8-4029-9517-8c60037cca8c Other Smart Call Home Information No
:registration_date: 2017-Jun-12 07:25:40 UTC
:last_contact_date: 2017-Jul-02 06:13:47 UTC
:is_active: true
:software_tag_identifier: regid.2013-08.com.cisco.CSR1000V,1.0_1562da96-9176-4f99-a6cb-14b4dd0fa135
:udi_pid: CSR1000V
:hostname: CSR-1000v
:ip_address: NOTE: hostname is sent by default, to disable sending
:mac_address:
:udi_serial_number: 97YZFA9VYJK the hostname, configure:
:host_identifier: cfg-call-home# data-privacy hostname
:licenses:
- :tag_id: 1146
:tag: regid.2014-05.com.cisco.ax_2500M,1.0_3e0288f3-4838-47c2-93a8-3d8743850f0c
:consumed_quantity: 1
SSM On-Prem– Sync Response File
• id_cert, sub_ca_cert, signing_cert, local_sub_ca_cert, signature
Certificate information to secure communication between Smart Software
Manager On-Prem and Cisco
• collector_instance_id
• On-Prem_name
• last_generated/last_sync
timestamps used to get the (delta) synchronization data.
• Synchronization Information
Includes info about virtual accounts and licenses from Smart account to
Smart Software Manager On-Prem .
SSM On-Prem– Sync Response
Information Collected Required?
Yes
(SUDI/SUVI/ID)
:data:
:authentication: Licenses Consumed Yes
:id_cert: |- Hostname No
:local_sub_ca_cert:
:collector_instance_id: 4cdd0470-e5e4-0132-a310-005056841670 AAA ID of User Making Change No
:On-Prem_name: Ross-SSMS-SCH4.1.2-Prod-OVF10
:last_generated: 2017-Jul-20 11:25:48 UTC
Feature Tags No
:last_sync: 2017-Jul-20 11:22:16 UTC Other Smart Call Home Information No
:synchronization:
:products:
- :id: 3662
:display_name: Cisco IOS XRV 9000 Router
- :id: 3642
:product_type: IOSXRV
:software_tag_id: regid.2017-07.com.cisco.IOS-XRv9000,1.0_5a181e3a-27db-4cbc-8996-fb083ddbd594
- :id: 3682
:virtual_accounts:
- :id: 101342
:name: Ross-1  Any additional licenses added to Smart Account since prior
:smart_account_id: 10560 synchronization.
 Any new product SKUs and corresponding entitlement tags added to
CSSM
SSM On-Prem vs satellite Sync Behavior
Previously, if SSM satellite doesn’t sync with CSSM after 90-days, it no longer functions
properly and a new satellite need to be redeployed/PIs re-registered.
Satellite Enhanced Edition relaxes this rule such that it doesn’t need to sync to CSSM for
1 year and continue to function until 364th day.
• This allows Smart Licensing to address synchronization frequency issue for customers
who are not able to sync with CSSM within prior 90 day limits.
• SSM ON-Prem local Accounts still expires after 365 days. Satellite has to be re-deployed
and all its PIs re-registered
• Smart Software Manager On-Prem should synchronize with Cisco
every 30 days
• Automatic if Network Attached
• By manual file transfers in disconnected Mode
• Smart Software Manager On-Prem must synchronize with Cisco

within 364 days. After 364 days without synchronization;
• A new Account MUST be registered with Cisco
• All product instances in the Account are removed
• All ID Tokens in the Account are expired
• Products will need to be re-registered
Smart Software Manager On-Prem Sync with
CSSM
SSM On-Prem
Customer CSSM
Periodic Sync Request

Sync Response
Sync Response
Sync Response
N Accounts
Sync Response
Customer SSM On-Prem

CSSM
• Set custom text message when logging in to On-Prem
• This message will be displayed on the login page
• Enable remote logging and configure access to a syslog server
• Enable email notifications and configure email server settings
• Configure NTP server settings and sync system clock
• Enable a Message of the Day when accessing CLI via SSH
• This message will be displayed after the user logs in.
• Note: Content is stored on the filesystem in /etc/motd.
• Configure either OPEN LDAP for User Authentication
• Only one can be selected
• LDAP:
• Setup Server IP/FQDN
• Set Base DB
• Choose Authentication Method (currently on plain supported)
• LDAP Group RBAC Assignment:
• Setup Configure optional LDAP Group Authentication Base DN and Object Class
• General Settings
• Configure On-Prem host name
• Configure Default Gateway
• Configure DNS servers (Primary plus 2 backups supported)
• Network Interface
• List of interfaces available to On-Prem
• Ability to configure each interface and assign it a Zone
• Proxy Settings
• Enable/Disable Proxy to Cisco
• Configure proxy IP/FQDN and Credentials
Product Registration via Proxy
Customer Smart Agent Proxy On-Prem
1 Get Token ID
2 Register PI with Token ID

5 Response
6 Response
7 Entitlement Auth Request

8 Entitlement Auth Request
9 Entitlement Auth Response

(Authorized or OOC)
(Authorized or OOC)
Customer Smart Agent Proxy On-Prem
• Enable/Disable Local Software Download Server
• You must allocate disk space when On-Prem is deployed (0% by default)
• When enabled, a software download section will be available in License
Workspace
• Manually Add Cisco Software
• Product Family, Image Name, Description, Version, and Release Date
• Software Download Section (License Workspace)
• If an Account as a license matching the Product Family of an image
software uploaded, the image will be available for the User to download.
• If an Account does not have a matching Product Family, the software
image will not be shown.
• License APIs • Token APIs • Smart Account APIs
• Smart License Usage • Create Tokens • Account Search
• License Subscriptions • List Tokens • Validate User Access API
Usage Revoke Tokens
•
• Virtual Accounts APIs
• Transfer Licenses
• Device APIs • Create Local Virtual
• Smart License Alerts Account
• Product Instance Usage
• List Alerts Delete Local Virtual
• Product Instance Search •
Account
• Product Instance Transfer
• List Local Virtual Accounts
• Product Instance Remove
License Workspace
• Smart Licensing • Alerts
Track and manage Smart • Inventory
Licensing.
• Reports
• Preferences
• On-Prems
• Activity
Product Registration – Same Local Account
Customer Smart Agent On-Prem
1 Get Token ID
2 Register PI with Token ID

4 Response
5 Entitlement Auth

Account X;
(Authorized or OOC)
2a Register PI with Token ID Local VA #1
3a Registration Request
4a Response
5a Entitlement Auth
6a Entitlement Auth Response

(Authorized or OOC)
Customer Smart Agent On-Prem
License Workspace
• Request an Account  Account Properties
Get an Account for your organization.
 Local Virtual Accounts
• Request Access to an Existing
Account  Manage Users Account Access
Submit a request for access to an
Account  Custom Tags
• Manage Account  User Groups
Modify the properties of your Accounts
and associate existing User IDs with  Event Logs
Accounts.
Smart Software Manager On-Prem
High Availability
Smart Software Manager On-Prem HA
Deployment Configurations
New with 6.3
Active Standby
Admin UI Lic UI Admin UI Lic UI

On-Prem On-Prem
PostgreSQL PostgreSQL Internet
Pacemaker Pacemaker
Corosync Corosync
DNS Proxy Firewall

Server (NAT)
IPv4 (or IPv6) Management Network
CSR1kv
CSR1kv
CSR1kv
CSR1kv
CSR1kv
CSR1kv
CSR1kv
CSR1kv
CSR1kv
CSR1kv
High Availably Deployment Procedures
• Install “Active“ On-Prem and register as normal
• Install “Standby” On-Prem but do not register (JUST configure the IP address)
• SSH in the Active On-Prem
• RUN the deploy HA Script
• Follow instructions to configure HA
• Once configured, On-Prem

• Connects to standby automatically
• Configures standby
• Replicates the database to standby (may take some time)
• There is an indication that standby is ready.
Smart Software Manager On-Prem – HA Active
Passive
Active Standby
Pacemaker is an open source cluster resource manager which
coordinates resources and services in a HA cluster. In essence, DB
DB
Corosync enables servers to communicate as a cluster, while
On-Prem Pacemaker provides the ability to control how the cluster On-Prem
Pacemaker behaves. Pacemaker
vSwitch vSwitch
VMware ESXi VMware ESXi
VIP Address 10.1.1.1
Service Address 10.1.1.2 10.1.1.3
On-Prem Services Admin UI | Lic UI Admin UI | Lic UI

Tomcat | Postgres Tomcat | Postgres
Sync
DRBD Master Standby
Resource Monitor Pacemaker
Cluster Manager Corosync
Smart Software Manager On-Prem – HA Active
Passive
Active
Standby
 Corosync - Messaging layer which enables
Admin UI Lic UI servers to communicate as a cluster, Admin UI Lic UI
On-Prem  Pacemaker is an open source cluster resource On-Prem
PostgreSQL manager (CRM) PostgreSQL
 Tomcat® is an open source Java Servlet
Pacemaker Container Pacemaker
Corosync  Postgres is an open source Relational Corosync
Database Management System (RDBMS)
New Simpler HA Deployment Procedures
• If master fails, standby is brought online automatically and starts responding to VIP
address.
• Any PI attempting to register during switch over will retry and when standby is ready
• Switch over takes less than 1 minute
• When master comes back online, standby will detect & go back to standby mode.
• If master can’t recover, deploy a new master. Use a prior backup (or pull a current
backup from standby On-Prem), restore master with the backup, and master will
take over.
• If both master and standby fails, deploy two new On-Prems and restore from
backup.
• When standby is down, system will report it is in “degraded mode”
Method 5
License Reservation
Introduction to License Reservation
The Smart Account must be authorized for License Reservation:
• Must have enough available licenses (Over subscription is not allowed)
• Smart Account must be authorized for any Export Restricted Functionality
Permanent License Reservation: Specific License Reservation:

• All features are enabled • Only featured owned can be reserved
• Cost premium • At no additional cost
• Some products will not support PLR • Not all products support SLR (yet)
Permanent License Reservation
• Manually exchange short ASCII strings with CSSM
• Two way data exchange via ASCII strings
• Product Request (UDI/vUDI, etc.) entered into CSSM (~ 32 characters*)
• CSSM returns an authorization locked to UDI/vUDI (34 characters)
• Entitles unlimited license consumption on product

CSSM
1
Get UDI/vUDI Type UDI/vUDI
Request Request
Get Auth String

4
Type Auth String
3
• Length will vary by product – 31 for new version of ASAv
Permanent License Reservation
• Transfers between Virtual Accounts is allowed
• License consumption and product must transfer together
• Increased license consumption is allowed and unrestricted (due to
“Universal” nature of license)
• User may un-register product to release licenses to their pool
Specific License Reservation
• Manually exchange information (copy and paste) with CSSM
• Two way data exchange via ASCII strings
• Product Request (UDI/vUDI, etc.) entered into CSSM
• Requested licenses and quantities chosen in CSSM
• CSSM returns an authorization locked to UDI/vUDI
CSSM
• Entitles specific license consumption on product
1 2
Get UDI/vUDI Type or Paste
Request Request String
3
Choose Licenses
5 4
Copy Auth String
Paste Auth String
Specific License Reservation
• Transfers between Virtual Accounts is allowed
• License consumption and product must transfer together
• Increased license consumption is allowed
• Authorized quantity will be persistent
• Product will strictly enforce reserved licenses/quantities – overage not
allowed
• User may change registration, up or down by re-registering
• User may un-register product to release licenses to their pool
License Reservation Summary
• PLR has a price premium because it enables all features on the
product whether you want them or not
• Not available on all products
• Node lock (cannot transfer licenses if it’s already in use)
• RMAs can be a challenge if you cannot get the return code off the
box
• Changing SLR entitlements can be difficult
Conclusion
Smart License is here today!
Key decisions you need to make...
Smart Account Virtual Accounts Product Telemetry
• All Cisco Products are • Determine ”Span of • What's your network
moving to Smart Licensing Control” access policy?
• Smart Account is not option • Who will manage the Smart • What product telemetry
• You will need it to register Account? method(s) will you use?
products? • Partner Managed? • Will you need a Smart
• Who needs to approve your • Central Managed? Software Manager On-
Smart Account creation? • Distributed Managed? Prem? How many?
• Smart Accounts are not • Who will manage the Smart Locations?
Optional!
License?
• Products may have limited
functionality until registered! • Who do I get the <id token>
from?
Get Ready! Get Set! Go!
Determining the best Method to Use
Your
Cisco
HTTPs Software
Method 1 & 2
Usage
• Cisco Product Cisco.com
• Device has Direct Network Access Your

Cisco
Simplest to Deploy and Use

Software
• Usage
Transport Gateway
or HTTPs Proxy Cisco.com
Cisco Product
• Method 3 & 4 Your
Device has Intermediate Network Access

Cisco
• Software
Usage
• One line change to Product Configuration HTTPs Smart Software

Cisco.com
Cisco Product Manager On-
Prem
Method 5
Your
• Request License
Cisco
Software
Usage
Copy/Paste
• Device has No Network Access License Response Cisco.com
Cisco Product
• Similar to PAK Files
Questions?
Continue your education
Demos in the
Walk-in labs
Cisco campus
Meet the engineer

Related sessions
1:1 meetings
You may be interested in the following sessions…
Simply your Cisco Asset and Entitlement Management
Experience with our Powerful New Platform
Timothy Knapp, BUSINESS OPERATIONS MANAGER, Cisco Systems, Inc.
Rehman Mohammed, SR. DIRECTOR, OPERATIONS, Cisco Systems, Inc.
Monday, June 10, 01:00 PM - 02:00 PM | SDCC - Upper Level, Room 28B
Session ID: PSONWT-2010
Smart Licensing from 0–100 inside Cisco DNA

Timothy Knapp, BUSINESS OPERATIONS MANAGER, Cisco Systems, Inc.
Wednesday, June 12, 01:00 PM - 02:00 PM | SDCC - Upper Level, Room 32A
Session ID: BRKARC-1600
Cisco Smart Software Manager On-Prem
For More Information
Cisco® Smart Licensing
www.cisco.com/go/smartlicensing
(http://www.cisco.com/c/en/us/products/abt_
sw.html)
Cisco® Smart Software Manager

www.cisco.com/go/smartOn-Prem
(http://www.cisco.com/web/ordering/smart-
software-manager/smart-software-manager-
On-Prem.html)
Cisco® Smart Accounts

www.cisco.com/go/smartaccounts
(http://www.cisco.com/web/ordering/smart-
software-manager/smart-accounts.html)
Cisco Smart Call Home
For more Information
Cisco® Call Home

User Guide
http://www.cisco.com/c/dam/en/us/td/docs/switches/lan/smart_call_home/user_guides/SCH_Ch4.pdf
Troubleshooting Guide
http://www.cisco.com/c/dam/en/us/td/docs/switches/lan/smart_call_home/user_guides/SCH_Ch5.pdf
Cisco® Transport Gateway

Smart Call Home
http://www.cisco.com/c/en/us/support/cloud-systems-management/smart-call-home/tsd-products-support-
series-home.html
Cisco Privacy and Security Compliance
http://www.cisco.com/web/about/doing_business/legal/privacy_compliance/index.html
Complete your
online session • Please complete your session survey
evaluation after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live water bottle.
• All surveys can be taken in the Cisco Live
Mobile App or by logging in to the Session
Catalog on ciscolive.cisco.com/us.
Cisco Live sessions will be available for viewing
on demand after the event at ciscolive.cisco.com.
Thank you
#CLUS
#CLUS

BRKARC-2034-Care and Feeding of Smart Licensing

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BRKARC-2034-Care and Feeding of Smart Licensing

Uploaded by

Copyright:

Available Formats

#CLUS

Donnie V Savage, Software Architect

Webex Teams will be moderated cs.co/ciscolivebot#BRKARC-2034

• DLC – Device Led Conversion • SA – Smart Account

• DNS – Domain Name Server • SBP – Subscription Billing Platform

• FQDN - Fully Qualified Domain Name • SCH – Smart Call-Home

• LCS – License Crypto-Module Support • SKU – Stock Keeping Units

• LVA – Local Virtual Accounts • SLR – Specific License Reservation

Limited View Complete View

PAK Registration Easy Registration

Device Specific Company Specific

Ordering and Smart Account

Manage Software License

Ordering and Smart Account

Enter Domain Identifier to notify Administrators

Customer Smart Account Roles the Smart Account Administrator role.

Smart Account • Edit/View Account Properties • No access • No access • No access

• Cisco Smart Licensing is configuration only

• Smart License Enabled Products

Users & Roles

• These assets can be further divided into “Virtual

• Product Instances are visible via CSSM portal or On-Prem

User Based Access Manage Services and Review Cases

License Portability Smart Accounts

Features Activations and Usage

Product Health Telemetry Mgmt. Economies of Scale

Revenue Leakage Prevention

Users & Roles

Customer Smart Account Partner Holding

Virtual Accounts Share devices and licenses

Users & Roles

Licenses Major Alert: Insufficient licenses – 25 needed to return to

License Quantity In Use Surplus

Product Registration command/GU feature & Licenses

I with ID reports usage

Used to securely Register products to a Smart Account and Virtual Account

Smart Licensing is ENABLED

Configure which licenses to enable license boot level license_level

* See Product specific Configuration guide for all options

Smart Use a Proxy Server instead of Direct Connect:

Product is using an entitlement, and the Virtual Account Failed

Note: Platforms may differ with timeouts, check with

2. Cisco will reply with a Cryptograph ID certificate that, Failed

• If there is a failure sending the message the retry,

configured to use licenses via CLI Failed

1. Indicate if the Virtual Account is in or out of compliance Registered

the renewal interval.

90 days, and renewed every 30 days

renewal, the retry interval will be as follows: Failed

• Retry every 23 hours

• Retry every 15 minutes for two hours

• Or until Cryptograph ID certificate expires. Failed

• License usage is released Registered

• If there is NO Communications after 1 year

• Smart Call Home Information is optional 1101001

• Smart License Information is minimal

* By default more information is exchanged, but this is configurable

• If you sell a device, the licenses are NOT transferred:

Access Through An On-Premise License

5 No Access – License Reservation

Smart Licensing Direct Cloud Access

Call Home Client

Decision is made by the configuration of the SCH configured